Insights, news, education and announcements from PolySwarm

Black Basta Ransomware

Written by PolySwarm Tech Team | Jul 5, 2022 7:33:54 PM



Executive Summary

Cybereason recently reported on Black Basta ransomware, which has claimed around 50 victims so far, making it a prominent threat.
Key Takeaways

  • Black Basta ransomware, first identified in April 2022, has claimed around 50 victims and is considered a “prominent threat” by researchers at Cybereason.
  • The ransomware primarily targets entities in English-speaking countries, across multiple verticals.
  • Black Basta targets both Windows and VMware ESXi virtual machines running on enterprise Linux servers.

What is Black Basta?

Black Basta ransomware, first identified in April 2022, has claimed around 50 victims thus far. Based on compile dates, the ransomware may have been active as early as February 2022. The group’s first known activity was in mid-April when a user named BlackBasta posted on underground forums XSS[.]IS and EXPLOIT[.]IN. Their post, written in the Russian language, stated their intent to buy and monetize corporate network access, promising affiliates a share of the profit. The user sought access to organizations in the US, Canada, UK, Australia, and New Zealand. So far the threat actors behind Black Basta have targeted multiple verticals including manufacturing, construction, transportation, telecommunications, pharmaceuticals, cosmetics, plumbing and heating, automotive, clothing, and others.

Windows Version
Prior to infecting a victim with Black Basta, the threat actors attempt to infiltrate and move laterally across the network, carrying out a RansomOps attack. The threat actors harvest credentials and then target the Domain Controller, using PsExec for lateral movement. To evade detection, the threat actors create a Group Policy Object (GPO) to disable Windows Defender and attempt to disable any anti-virus products. The final stage of the attack is the deployment of Black Basta ransomware, using an encoded PowerShell command that leverages WMI to push out the ransomware binary to target machines. In early June, the threat actors behind Black Basta reportedly used QBot to spread their ransomware.

Black Basta uses vssadmin.exe to delete virtual shadow copies of the system prior to encrypting a victim’s files. The ransomware also drops two files into %TEMP%: an icon file and a JPEG file. The icon file serves as an icon for the encrypted files, while the JPEG file serves as a background image for the victim’s desktop. The desktop image or wallpaper contains a message stating: “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt.” The ransomware encrypts files, appending the .basta extension, and drops a copy of the ransom note readme.txt in each folder. The ransom note is custom-tailored per victim and includes a unique identifier for the victim to use when communicating with the threat actors.


Linux Version
The Linux version of Black Basta was observed in early June 2022, encrypting VMware ESXi virtual machines running on enterprise Linux servers. Except for the differences in operating systems, the Linux version operates similarly to the Windows version.


The threat actors behind Black Basta use double extortion tactics, threatening to publish stolen data if the victim does not pay the ransom. Researchers at Cybereason assess Black Basta to be a “prominent threat”, based on the rapid rate of successful attacks and the ransomware’s destructive potential.

IOCs

PolySwarm has multiple samples of Black Basta.

96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be

Ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e

7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90

5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa

You can use the following CLI command to search for all Black Basta samples in our portal:

$ polyswarm link list -f BlackBasta


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports